4.12 RequestCertificatePfx
int RequestCertificatePfx(MyIDCertificateRequestPfx certificateRequest);
The RequestCertificatePfx method requests a PFX “Software Certificate” P12 for the specified user, for use as a .PFX certificate. This follows these rules:
-
Credential Profile must be set for “Software Certificates Only”
-
Credential Profile must have only one Certificate Policy
-
The Certificate Policy assigned to the Credential Profile must be marked for Archival
Note: Requests through the API do not honor validation or role restrictions assigned to the credential profile. You can request any credential profile.
4.12.1 Inputs
Class |
Field |
Data Type |
Description |
Allow Null? |
---|---|---|---|---|
MyIDCertificateRequestPfx |
|
|
|
No |
|
CredentialProfileName |
String |
The credential profile that this request will be made against. It must be a profile set for “Software Certificates Only”. Maps to: CardProfiles.Name |
No |
|
PersonIdentifier |
String |
The unique identifier for finding a person in MyID. This will map to whatever field is specified in the MyID.config file. |
No |
|
DistinguishedName |
String |
Optional Distinguished Name to use for the certificate request. This will be used instead of the Distinguished Name of the person in the MyID database. By default this feature is disabled and needs to be enabled in the MyID.config file if you want to use it. See section 4.12.3, Enabling the Distinguished Name override feature. |
Yes if configuration is set to “Optional”, No if set to “Mandatory” |
4.12.2 Output
The output is the Certificates.ID for the new Certificate Request. Any failures to create this request will result in an exception being thrown. Possible error scenarios are:
-
Missing data
-
The user has not been found
-
Credential profile has not been found
-
Credential profile is invalid for this certificate request
-
Invalid certificate policy
4.12.3 Enabling the Distinguished Name override feature
You can override the Distinguished Name used for a PFX certificate request by providing the DistinguishedName to the endpoint. This value is then used instead of the value stored against the person in the MyID database. This a powerful feature, and therefore requires an extra configuration change to enable it.
To enable the Distinguished Name override, you must edit the MyID.config file for the CWS web service. By default, this file is in the following location:
C:\Program Files\Intercede\MyID\SSP\CredentialWebService
Open the file in a text editor, and amend the following line:
<add key=" AllowDistinguishedNameOverrride" value="Disabled"/>
Set the value to Optional or Mandatory.
Once you have saved the file, recycle the app pool used for the Credential Web Service in IIS. This ensures that the web service is using the latest settings.